Forms Authentication - Web.config and Response.redirect


I am creating a new Website Application that redirects the logged in user to a webpage based upon the role to
which he belongs programatically in 'Authentication' event. I have designed the app. so that a User can belong
to a single role at one time and I am using membership provider.  I have a web page that is stored in the root
folder which is accessible by all users(including unauthenticated users). This webpage contains different menu
items and one of them is 'login'. 

So If user A belongs to Role 'abc', he is redirected to a webpage in folder abc. Similarly if user B belongs
to role 'xyz' he is redirected to a webpage in folder 'xyz'.

My questions are :-
1. Is the above logic to have different directories for each role and redirecting based upon logged in user's
   role a good design ?   

2. The code in Authentication works fine, but the problem is that the web.config doesn't seem to stop
   unauthorized users to access web pages. So If I say in my code that user belonging to role 'xyz' is
   redirected to a webpage in folder 'abc' it still redirects the user there. The 'web.config' doesn't seem to
   stop it from happening.

   Part of my web.config in the root folder is as follows :-                        
             <allow users="*"/>                        

   Part of my web.config in the child folder is as follows :-
             <allow roles="Institute,Admin"/>                                 
      <deny users="*"/>

3. I understand that in this case Server.transfer does not work and I will have to user Response.Redirect. If I
   use Server.Transfer it does not do anything.

4. Will it be a good idea to store the default page directory and the web page in database and not in the
   'Authenticate' method to provide extensibility.


7/17/2007 11:24:48 PM 27051 articles. 1 followers. Follow

1 Replies

Similar Articles

[PageSpeed] 56
Get it on Google Play
Get it on Apple App Store


Well, just my comprehension and thought about your question. Hope this would generate more public discuss.

1, Many people programme like this and it works well

if (HttpContext.Current.User.IsInRole("Admin"))

2, Please use the security Setup Wizard in ASP.NET web Site Administration Tool to configure access role, then you may find some difference in the automatically generate web.config

3, I'm not sure, you mean the URL in address bar doesn't change?

4, I think config file mode is far more open to read/write than Database and many people have used to it.

Please correct me if any misunderstanding.

Best Regards
XiaoYong Dai
Microsoft Online Community Support

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
7/19/2007 11:46:38 AM

Similar Artilces:

Forms.Authentication + response.redirect
Hi,  I wrote a small app with just one login page and use forms authentication for this. I wrote a small LDAP Authentication class which works great, didn't want the asp provider for it.... My question: All users should be directed to page x after successfully logged in.  One special user should be redirected to an other page (kind of admin page) but the authentication is the same. What's the right way to do this in ? It's not necessary that this special user should be able to login to page x too !  I just thought of redirecting the user in the page x load...

Basic Query - Form Authentication
Hi! All, Consider me Dumbo, but here is my query: Query: When someone click on the "My Account" Link then I need to take them to the Login.aspx file, once they are on the Login.aspx I need to take them to their "My Account : Home Page" Once they are there they can update their profile, update their password etc. Now if someone try to access that Secure "My Account" area, so I need to throw them back to the Login.aspx, that is quiet obvious and easily one can implement it in their ASP.NET Application (as I read the following artilce: http://www.4guysfro...

Server.Transfer / Response.Redirect & forms authentication
Hi, thank you in advance for any support. I have confused myself with this one and would be gratefull if anyone could explain. I have a site employing forms authentication, in my root directory there is a web.config that has <allow users="*" /> and in a subdirectory called secure there is another web.config that has <deny users="?" /> . Whenever I try to access a file in the secure folder directly by typing in the url it redirects me to login.aspx as intended then once successfully logged in RedirectFromLoginPage back to requested page. On my default...

Forms Authentication : Redirecting without authentication
Hello,we are developing a web application. We have used forms authentication as follows.     <authentication mode="Forms">    <forms name="Loginform" timeout="120"/>    </authentication> My page url is "http://localhost/ess/login.aspx" I have a start page as a Login.aspx in which a company information and flash images are displayed. Also one button named "Login" is present onto it. And when a user clicks on it, My "Default.aspx" opens into new window with full screen. After entering the correct credentials to this page, our app...

How to authenticate against the ADAM by using Forms authentication and Visual C# .NET
How to authenticate against the Active Directory by using Forms authentication and Visual C# .NET;EN-US;Q316748 I followed this link for AD but did not work for ADAM. any help for the authenticate against the ADAM by using Forms authentication and Visual C# .NET would be appreciated.   Thanks in advance.    Hi dpatelPA, Please take a look at this tutorial: How To: Use Forms Authentication with Active Directory in ASP.NET 2.0:   Thanks.Davi...

Redirect to a page secured by basic authentication from a non-secure page?
Hello,I am working on an ASP.NET 2.0 webapp which is secured via our own mechanism which is similar to forms based security.  Thus, the web application itself has anonymous authentication enabled.However, our help site, a straight html app that is low sensitivity, but sensitive enough that we want to prevent the casual browser from viewing it, is secured via Basic Authentication.The question is, is there some way by which our main application can perform a redirect or transfer to the help site w/out prompting the user for credentials? Basically, what happens is that ther...

Authenticate against the Active Directory by Using Forms Authentication and Visual Basic .NET
I am using the code found on microsoft site;en-us;326340 And when i run it I get an error: Error authenticating. Error authenticating user. A referral was returned from the server I have changed the code to specify my domain DC=MyDomain,DC=local Has anyone run into this or knows what it means? Thanks Craig Hi Craig, Its giving me the same error. Can you please tell me how u specified ur DC,LDAP etc.. For example:- Dim domainAndUsername As String = domain & "\" & username Dim entry A...

[PATCH lib/Net/, MANIFEST, t/lib/Mock/, lib/Net/Config.t] Add Tests for Net::Config
Here's a test suite for Net::Config. In the process of writing this, I've fixed an apparent bug that prevented single values from becoming array references when necessary. I think it's right, but perhaps Graham should weigh in on this. In the process, with some advice from perl-qa, I've added a mock object so the test could control the output of Socket::inet_ntoa() and Socket::inet_aton(). t/lib/Mock/ seemed like as good a place as any. I'm happy to rework this patch if it personally offends anyone whose opinion matters. :) -- c --- lib/Net/ S...

Secure Form Authentication??
Hi, Could someone please give examples to how a secure form authentication can be performed without the need of SSL? Are there ways to avoid the "free text" over cable?Regardstwyk168 If you must keep data secure over the wire then SSL is a must.Some hosting companies offer plans that have shared ssl on them - maybe an option for you. Rob

Forms authentication redirection
Hiya im using forms authentication, to redirect users on login i use: System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False) this redirects them to the page they requested, but if they havent requested a page, how do i redirect them to a specific page? I would rather specify this here than using the web.config forms setup. many thanks Tom Hi, Please check my article Forms Authentication - Redirecting users to a Page other than Default.aspx. It addresses your situation and provides the solution for the same. Write back if y...

No Redirect on Form Authentication
Hi guys i'm building a site using form authentication. All my settings in my webconfig seem to be correct, meaning correct connection string, provider configurations, etc. when i get to the login page and enter the user information that has been created and on the asp_users table. But when i submit. the login form clears and the page doesn't redirect. Please help and thanks in advance Check out this, something may be missed out[MCTS]Few have audacity to speak truth Have you specifie...

how secure is forms authentication?
With the application I'm building right now, every user has a numerical UserID, and just about all the data in my SQL Server database is linked to that number, so it's very important I keep that number confidential. For the authentication scheme, I have a basic login/pass page where I authenticate a user by using Forms Authentication with cookies, and assigning their UserID to the User.Identity.Name property. Then, on any protected pages, I basically make references to the UserID by saying Int32.Parse(User.Identity.Name). When I combine this with SSL, is this a secure enough scheme to make s...

Forms Authentication
 As I understand it, the Forms Authentication cookie is encrypted, signed, hashed, etc. If my website relied on the username of the cookie to get the active user, how secure would my website be? I wanted to know if anyone has read or seen anything about this system being broken. Friend, First, the auth cookie is encrypted. Others will not have direct access to the int value. Second, if you are transmitting it only over 128 bit SSL then that will be almost impossible to get at. However, I assume that you, like most people, are only using the SSL on the pages that MUST be secure l...

Forms Authentication redirects
Hello,  I'm using a shared windows hosting with ASP.NET 2.0 . The main domain is pointing to / path of the server. I bought a second domain ( )which points to /doimain1/  so the website for the second domain is located in this folder. This folder is also selected as application root with write permissions from hosting cpanel. In this folder I have another folder admin (/domain1/admin) where I restrict access of unauthenticated users. From my web.config:<authentication mode="Forms"> <forms loginUrl="~/admin/Login.aspx" timeout...

Forms authentication and redirection
I have been looking around for this to no avail and it seems like it should be a very simple matter.  I have a website that uses forms authentication.  When I authenticate a user and redirect them using FormsAuthentication.RedirectFromLoginPage(user, false), how can I change the default redirect URL from default.aspx to something else like MemberContent.aspx, etc?As I understand it I need to change the default redirectURL, but I am not sure where and how.Thanks for any and all assistance!Jon If you want the users to be redirected to some other URL then the ReturnURL then you have...

Web resources about - Forms Authentication - Web.config and Response.redirect -

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

New Tools to Optimize App Authentication
At f8, we announced a redesigned Auth Dialog and a new authentication flow to give developers more control over people’s first experience with ...

Facebook Tells Some Developers They Have 48 Hours to Fix Authentication Data Leaks
... sent an email to what it calls a “very small percentage of the developer community” informing them their apps are suspected of leaking authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.

Sony Authentication Power Outlet Recognizes Users and Devices #DigInfo - YouTube
Sony Authentication Power Outlet Recognizes Users and Devices DigInfo TV - 9/3/2012 NFC & Smart WORLD 2012 Sony Authentication ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Two-factor authentication - cyber security -
Two recent hacking cases highlight how personal emails can impact overall business security through tiny weaknesses.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

ATO boosts service access via app and voice authentication
The ATO has announced it will extend its voice authentication system to its mobile app

Resources last updated: 12/24/2015 9:54:42 AM